W3C home > Mailing lists > Public > public-html-media@w3.org > August 2015

Re: [EME] Proposal for next steps on secure release

From: Mark Watson <watsonm@netflix.com>
Date: Tue, 25 Aug 2015 16:07:44 -0700
Message-ID: <CAEnTvdCkSRkG2i6qKttEuBoTR7vdUSyJP9G--1nSP70uSMub0Q@mail.gmail.com>
To: John Luther <jluther@jwplayer.com>
Cc: David Dorwin <ddorwin@google.com>, "public-html-media@w3.org" <public-html-media@w3.org>
On Tue, Aug 25, 2015 at 3:28 PM, John Luther <jluther@jwplayer.com> wrote:

> On Fri, Aug 21, 2015 at 4:54 PM, David Dorwin <ddorwin@google.com> wrote:
> >
> >
> > On Tue, Aug 18, 2015 at 7:21 AM, Mark Watson <watsonm@netflix.com>
> wrote:
> >>
> >>
> >>
> >> On Aug 17, 2015, at 10:55 PM, David Dorwin <ddorwin@google.com> wrote:
> >>
> >> I think we agree that EME should support concurrency fraud detection and
> >> enforcement while ensuring a strong user experience - we just differ in
> our
> >> opinions of where this can be best solved and where the complexities
> should
> >> lie. The renewals approach demonstrates there is a viable solution to
> >> securely detect and enforce concurrent usage
> >>
> >>
> >> As per my other mail, we don't agree that it covers all the use-cases
> with
> >> reasonable UX and server architecture impacts.
> >
> >
> > You're disagreeing with something I didn't say. I said there is a viable
> > solution. As I replied in that other thread, I think your mail addressed
> > something other than renewal.
> >
> >>
> >>
> >> that conforms to the web platform, and there appears to be agreement to
> >> support it in the EME spec.
> >>
> >>
> >> But we do agree it should be in the spec.
> >>
> >>
> >> Thus, the question is whether secure release, an alternative mechanism
> for
> >> concurrency fraud detection (but not enforcement) is acceptable and
> should
> >> also be included as an alternative in the spec.
> >>
> >> Despite the benefits to server availability or complexity - the
> magnitude
> >> of which we believe is debatable [1] - our main concerns on secure
> release
> >> remain unaddressed: supporting this feature imposes architectural
> >> constraints on (billions of) clients to ensure secure release works as
> >> intended,
> >>
> >>
> >> The feature is proposed to be optional, so nothing is imposed on anyone.
> >
> >
> > Making it “optional” doesn’t change that there are unresolved
> architectural
> > concerns.
> >
> >>
> >>
> >> and it is incompatible with some user-beneficial browsing modes and
> client
> >> architectures. (There is more on this in
> >>
> https://lists.w3.org/Archives/Public/public-html-media/2015Jun/0029.html.)
> >>
> >> In the license renewal thread, Mark questioned whether “additional
> >> [server] architectural complexity is justified and proportionate for
> this
> >> problem." I noted in my reply that such complexity is not a requirement
> for
> >> successful use of renewal. However, I believe that “proportionate for
> this
> >> problem” is a good evaluation metric for secure release. For a very
> narrow
> >> use case (a subset of the small number of sites using DRM’d media),
> >> including secure release (a partial solution that supports detection
> only)
> >> in the spec dictates that all user agents be architected to allow part
> of an
> >> application to write data after that web application is closed (or
> provide
> >> CDMs access to tamper-evident persistent storage).
> >>
> >>
> >> No, this is incorrect. The requirement is that the *CDM* not the web
> >> application be able to write on session close. Very different.
> >>
> >> This may have implications for client software architecture, for sure,
> but
> >> not web architecture.
> >
> >
> > I think we should clarify how the CDM behavior for this feature relates
> to
> > the application and thus web architecture. I'll cover that in the
> discussion
> > of the architectural question. I think the underspecification of
> “tracked”
> > sessions in the current spec text further contributes to the confusion.
> I'll
> > file a spec issue to address that.
> >
> >>
> >> That does not seem like a proportionate approach to address a preference
> >> for one fraud detection mechanism over the alternative, which avoids
> such
> >> requirements on all clients.
> >>
> >> Since the implications go beyond EME and are related to platform
> >> architecture, I propose we solicit guidance from the Technical
> Architecture
> >> Group on whether the architectural implications are acceptable and
> >> consistent with the principles of the web platform and whether there
> might
> >> be alternatives we have not considered. That will either confirm or
> >> alleviate the majority of our concerns around secure release's
> inclusion in
> >> EME and resolve our current impasse.
> >>
> >>
> >> I don't agree this needs to go to the TAG because I do not see any web
> >> architecture issue here.
> >
> >
> > The crux of the impasse is disagreement as to whether this is a web
> > architecture issue. As I said in the telecon, the TAG is the appropriate
> > party to make that determination as well as provide any relevant
> direction,
> > and we will follow up.
>
> +1. The debate over securestop/tracking has been going on for years
> and seems no closer to a resolution, a TAG review will help to move
> things forward.
>

​Actually, although a lot of time has passed, I think we have made a lot of
progress, since the mechanism has been greatly refined and the remaining
disagreement appears to be around a rather narrow question of whether
browsers can / should write to disk on close. That narrow question seems to
me to be one of software architecture, not web architecture.

...Mark

​



>
>
> >
> >>
> >>
> >> ...Mark
> >>
> >>
> >>
> >> David
> >>
> >>
> >> [1] I am having trouble identifying meaningful advantages of secure
> >> release over license renewal, both for the majority of users and
> server-side
> >> implementation. As mentioned in the other thread, the successful use of
> >> secure release appears to depend on server-side heuristics to identify
> >> clients on which enforcement mechanisms should be applied. (It appears
> from
> >> Mark’s reply that we should discuss this more.) In addition, services
> using
> >> secure release may need different heuristics depending on whether a
> client
> >> implements it using tamper-evident persistent storage or write-on-close.
> >>
> >> As described in the license renewal document, simple heuristics would
> >> enable variable buckets that would allow most users to be provided
> lenient
> >> renewal times. We believe it’s possible that such times would be
> sufficient
> >> to avoid user experience problems caused by the types of outages secure
> >> release seeks to avoid, all without having to implement resilient
> >> independent license servers. Add to this the fact that secure release
> does
> >> not provide enforcement, and using secure release ends up being more
> complex
> >> with negligible meaningful benefit.
> >
> >
>
>
>
> --
> John Luther
> SVP, Product Strategy
> jwplayer.com
>
Received on Tuesday, 25 August 2015 23:08:13 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 25 August 2015 23:08:14 UTC